CVE-2013-7108

Multiple off-by-one errors in Nagios Core 3.5.1, 4.0.2, and earlier, and Icinga before 1.8.5, 1.9 before 1.9.4, and 1.10 before 1.10.2 allow remote authenticated users to obtain sensitive information from process memory or cause a denial of service (crash) via a long string in the last key value in the variable list to the process_cgivars function in (1) avail.c, (2) cmd.c, (3) config.c, (4) extinfo.c, (5) histogram.c, (6) notifications.c, (7) outages.c, (8) status.c, (9) statusmap.c, (10) summary.c, and (11) trends.c in cgi/, which triggers a heap-based buffer over-read.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:S/C:P/I:N/A:P
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
VendorProductVersion
nagiosnagios
𝑥
≤ 4.0.2
nagiosnagios
3.0
nagiosnagios
3.0:alpha1
nagiosnagios
3.0:alpha2
nagiosnagios
3.0:alpha3
nagiosnagios
3.0:alpha4
nagiosnagios
3.0:alpha5
nagiosnagios
3.0:beta1
nagiosnagios
3.0:beta2
nagiosnagios
3.0:beta3
nagiosnagios
3.0:beta4
nagiosnagios
3.0:beta5
nagiosnagios
3.0:beta6
nagiosnagios
3.0:beta7
nagiosnagios
3.0:rc1
nagiosnagios
3.0:rc2
nagiosnagios
3.0:rc3
nagiosnagios
3.0.1
nagiosnagios
3.0.2
nagiosnagios
3.0.3
nagiosnagios
3.0.4
nagiosnagios
3.0.5
nagiosnagios
3.0.6
nagiosnagios
3.1.0
nagiosnagios
3.1.1
nagiosnagios
3.1.2
nagiosnagios
3.2.0
nagiosnagios
3.2.1
nagiosnagios
3.2.2
nagiosnagios
3.2.3
nagiosnagios
3.3.1
nagiosnagios
3.4.0
nagiosnagios
3.4.1
nagiosnagios
3.4.2
nagiosnagios
3.4.3
nagiosnagios
3.5.1
icingaicinga
𝑥
≤ 1.8.4
icingaicinga
0.8.0
icingaicinga
0.8.1
icingaicinga
0.8.2
icingaicinga
0.8.3
icingaicinga
0.8.4
icingaicinga
1.0
icingaicinga
1.0:rc1
icingaicinga
1.0.1
icingaicinga
1.0.2
icingaicinga
1.0.3
icingaicinga
1.2.0
icingaicinga
1.2.1
icingaicinga
1.3.0
icingaicinga
1.3.1
icingaicinga
1.4.0
icingaicinga
1.4.1
icingaicinga
1.6.0
icingaicinga
1.6.1
icingaicinga
1.6.2
icingaicinga
1.7.0
icingaicinga
1.7.1
icingaicinga
1.7.2
icingaicinga
1.7.3
icingaicinga
1.7.4
icingaicinga
1.8.0
icingaicinga
1.8.1
icingaicinga
1.8.2
icingaicinga
1.8.3
icingaicinga
1.9.0
icingaicinga
1.9.1
icingaicinga
1.9.2
icingaicinga
1.9.3
icingaicinga
1.10.0
icingaicinga
1.10.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
icinga
zesty
not-affected
yakkety
not-affected
xenial
not-affected
wily
not-affected
vivid
not-affected
utopic
not-affected
trusty
dne
saucy
ignored
raring
ignored
quantal
ignored
precise
ignored
lucid
dne
nagios3
zesty
Fixed 3.5.1.dfsg-2.1ubuntu5
released
yakkety
Fixed 3.5.1.dfsg-2.1ubuntu3.1
released
xenial
Fixed 3.5.1.dfsg-2.1ubuntu1.1
released
wily
ignored
vivid
ignored
utopic
ignored
trusty
Fixed 3.5.1-1ubuntu1.1
released
saucy
ignored
raring
ignored
quantal
ignored
precise
ignored
lucid
ignored
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
http://secunia.com/advisories/55976
http://secunia.com/advisories/56316
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
http://www.openwall.com/lists/oss-security/2013/12/24/1
http://www.securityfocus.com/bid/64363
https://dev.icinga.org/issues/5251
https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/
http://lists.opensuse.org/opensuse-updates/2014-01/msg00010.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00028.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00046.html
http://lists.opensuse.org/opensuse-updates/2014-01/msg00068.html
http://secunia.com/advisories/55976
http://secunia.com/advisories/56316
http://sourceforge.net/p/nagios/nagioscore/ci/d97e03f32741a7d851826b03ed73ff4c9612a866/
http://www.mandriva.com/security/advisories?name=MDVSA-2014:004
http://www.openwall.com/lists/oss-security/2013/12/24/1
http://www.securityfocus.com/bid/64363
https://dev.icinga.org/issues/5251
https://lists.debian.org/debian-lts-announce/2018/12/msg00014.html
https://www.icinga.org/2013/12/17/icinga-security-releases-1-10-2-1-9-4-1-8-5/